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SYSTEM FOR ELECTRONIC REPOSITORY OF DATA 
ENFORCING ACCESS CONTROL ON DATA RETRIEVAL 

Related Application 

5 

Copending application Serial # (IBM Docket # CA9-98-Q40) filed on even date herewith, entitled 
"System for Electronic Repository of Data Enforcing Access Control on Data Search and 
Retrieval" and incorporated herein by reference. 

10 Field of the Invention 

The present invention is directed to the field of electronic data storage, and provides, in particular, 
:% a secure data repository and exchange system administered by a third party data custodian in 
which access control is enforced on data retrieval. 

15 |~j Background of the Invention 

^ Recent parallel advances in network commiinications and public key infrastructure ("PKI") 
h& technology have prompted businesses and institutions to begin to utilize electronic 
g T documentation for record-keeping and for transactions of all types. With improvements in 
^ transmission integrity and security, it can be confidently assumed that documents sent 
20 y electronically over the Internet and other open networks will arrive intact and tamper-free. 
Database management systems coupled with modern computer memories capable of storing 
several gigabytes of data have made it practical for businesses and institutions to simply dispense 
with maintaining paper records whose bulk necessitates real estate costs. 

25 Typically, data originating in one entity may have to be transmitted to others for any number of 

reasons such as deposit, review, etc. The data elements could be of the form of unstructured 

document files or structured records, such as bank account and other financial information. Using 

the example of unstructured data, it may be necessary to forward a document from the originating 

system to other computers in the same system or to computers residing on different systems for 

30 the purposes of review. This could occur equally in a business situation (e.g., a proposal for a 
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joint venture or complex bid tender) as in an institutional setting (e.g., a graduate thesis to be 
reviewed by faculty advisers prior to submission to a university thesis review committee). The 
document has been created electronically since this will facilitate revisions and additions 
(particularly if it is lengthy) without having to retype the entire document each time. 

5 

Having the document in an electronic form also facilitates review of it because the document in 
this form is easily transmissible. However, rather than circulating the document, the document 
creator can let the intended reviewers know that it is available and provide them with access to it. 
To review the document, the authorized reviewers must be given access to the storage location of 
10 the document. 

" f There are a number of reasons why the document creator will not want to store the document 
locally. If local document storage means giving open access, behind its firewall, to other entities, 
■y a security risk (the threat of hackers) is created. Access into local storage also compromises data 

15 \'f t management, since one inadvertent action by a reviewer could erase the document file. Also, the 
' 3 lack of system and/or network availability may defeat any perceived convenience to reviewers in 
I * giving them direct access to the document in storage. System availability refers to whether the 
Y: document originator's local machine or LAN is made available at all times to accommodate 
O reviewers, while network availability refers to the constraint that it may be difficult for the 

20 y network to make available multiple points to the local storage location if several reviewers seek 
access at one time. 

There could also be reasons in a business or institutional situation that independent verification 
must be provided to show that a document originator has made its submission of a document on a 
25 certain date (e.g., a commercial tender). 

One solution is to use the repository of a third party, particularly one in the business of providing 
the service of a secure data repository and who is able, if required, to provide proof of deposit. 

2. 
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US Patent Nos. 5,615,268 and 5,748,738, both entitled "System and Method for Electronic 
Transmission Storage and Retrieval of Authenticated Documents" and both assigned to 
Document Authentication Systems, Inc., describe a system which provides data integrity and 
non-repudiation assurance using a proprietary Windows client to communicate with the data 
5 repository service. 

An important consideration not addressed in these patents is that the integrity and access to the 
data stored in the repository not be dependent on the actions of the third party that administers 
the document repository. In other words, the data custodian should not be able, through either 
10 inadvertent or malicious actions, to modify the contents of the data without that action being 
detected by the system users. Moreover, the data custodian should not be able to alter a user's 
O privilege to, or restriction from, access to a data element. 

J LJ In the above-described system of USP's 5,615,268 and 5,748,738, the data repository service is 
15 fy trusted not to reveal data to other users. There is no provision in this system for data privacy 
*' 3 using encryption technology. 

fU Summary of the Invention 

q Therefore, it is an object of the present invention to provide an electronic document storage and 
20 % ~ exchange system in which the documents are physically stored in a repository administered by a 
third party, but in which users have access to their documents and share them with each other. 

It is also an object of the invention to provide a system in which the integrity and access to the 
data stored in the repository is not dependent on the actions of the third party administrator. 

25 

Accordingly, in one aspect, the present invention is directed to secure electronic data storage and 
retrieval system, that consists of a data repository, a repository manager for managing storage and 
retrieval of encrypted electronic data of a depositing computer into and out of the data repository, 
and an agent program of the depositing computer. The agent program is accessible to the 
30 repository manager whether the depositing computer is online or off-line. The agent program 
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also has means to decrypt, on authentication of a requesting computer, the encrypted electronic 
data of the depositing computer retrieved from the data repository on request of the requesting 
computer. Preferably, the repository manager can digitally sign the encrypted electronic data 
prior to storage in the data repository, and then forward a copy of the signed encrypted data to 
5 the agent program, so that the agent program can verify against the signed encrypted data, the 
retrieved encrypted electronic data following decryption. 

In another aspect, the present invention provides a system and method for securely authenticating 
user access to electronic data stored in a data repository managed by a repository manager 
10 unrelated to a source of the data, in which an access control list of user authorizations is 
associated with the electronic data when stored in the data repository. The source is responsible 
O for updating the access control list, and maintains evidence of the current access control list. 
a ~ Evidence of the current access control list is also provided to any user computer which has 
effected the update. The source verifies that the updated access control list stored with the 
15 l'y electronic data in the data repository is accurate before releasing the data to the requesting 
y computer. 

I y The use of the invention is particularly advantageous in a system having a large number of 
O documents accessible to and accessed by a large number of users. The centralization of user 
20 "I access information improves system efficiency since it avoids duplication of the information. 
Moreover, the use of a powerful, centralized search authority permits richer searching - 
parameters need not be limited to document identity, but could conceivably include other 
identifiers, such as creation time, identity of document originator, etc. 

25 The invention may be realized in the form of media encoded with program code to effect the 
above- described system or processes. 

Brief Description of the Drawings 

Embodiments of the invention will now be described in detail in association with the 
30 accompanying drawings, in which: 
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Figure 1 is a schematic diagram of a document repository system utilizing a third party custodian; 

Figure 2 is a schematic diagram, similar to Figure 1, showing a vault document repository system 
5 utilized in the preferred embodiment of the present invention; 

Figure 3 is a flow diagram illustrating the process of document creation, according to the 
invention; 

10 Figure 4, consisting of Figures 4A and 4B, is a flow diagram illustrating the process of document 
retrieval according to the invention; 

% i Figure 5 is a flow diagram showing a process, according to the preferred embodiment of the 
m invention, for providing immutability of access control for document retrieval; and 

15 }y 

J ~ Figure 6 is a flow diagram illustrating a process for assigning ownership privileges over stored 
s documents, according to the invention; and 

l~ Figure 7 is a block diagram of a computer system for use with the present invention. 
20 3 

Detailed Description of the Preferred Embodiments 

A conventional arrangement for a document repository system utilizing a third party custodian is 
illustrated in Figure 1. A document originator 100 can deposit documents via its connection 102 
with a remote document repository service 104, such as a database, administered by a third party. 
25 As the owner of the deposited documents, the document originator 100 can assign access to the 
documents. For example, the document originator may assign a business partner 106 to have a 
"read" privilege, which means that the assigned business partner is allowed to retrieve the 
document via its connection 108 to the document repository service 104, but cannot make 
changes to the document on deposit. 
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In such conventional systems, the document deposited by the document originator 100 is normally 
not encrypted so that the business partner 106 will be able to review the document on demand. 
This is because there are problems associated with decrypting documents in the prior art. 
Document decryption requires access to the private key of the document originator 100. To give 
access to its private key, the document originator 100 must either make itself available online 
during all times that decryption might be requested in order to perform the decryption itself (the 
issue of system availability), or must set up a scheme in advance to make its private key available 
directly to the business partner 106 or through a trusted proxy (not shown). 

U.S. Patent No. 5,491,750 of International Business Machines Corporation, is for "Method and 
Apparatus for Three-Party Entity Authentication and Key Distribution Using Message 
Authentication Codes". This patent describes a system which allows for the distribution of secret 
session-management keys shared by two or more communication partners after the 
communication partners have been authenticated through a trusted intermediary. However, the 
keys generated under this scheme, and others like it, are short-lived and intended to be used as 
little as absolutely necessary. It is not clear that such a scheme would be appropriate to provide 
securely transmit decryption keys between communication partners in a document review system, 
with a persistent document repository. 

Thus, in conventional systems where documents are deposited for a period of time and are not 
encrypted (Figure 1), the third party administrator of the repository service 104 must be trusted 
with maintaining the integrity of the document. 

The document repository system of the preferred embodiment of the present invention is built 
using the IBM Vault Registry product, the subject of U.S. Patent Application No. 980,022, titled 
"Secure Server and Method of Operation for a Distributed Information System", filed November 
26, 1997, assigned to IBM Corporation. U.S. Patent Application No. 980,022 is hereby 
incorporated herein by reference. The IBM Vault Registry product provides an enhanced web 
server environment that implements a secure extension, called a vault, of the client's environment. 
This system relies on the modern transmission technology described in the Background of the 
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Invention, that electronic transmission of documents and other data will arrive intact and error 
free. Resources contained within a client's vault are available only when accessed from the client 
using strong authentication via certified public keys. Depending on the environment, access may 
be through the client's web browser. 

5 

The information content of the vault is encrypted for privacy. Each vault on a server has a unique 
encryption key and mechanisms that inhibit access to the keys except through the trust path 
approved by the owner of the vault, such as through a browser. Programs that run within a vault 
are isolated by operating system services to ensure such programs: 

10 

a) operate in a process with a system identity (a virtual logon) so that the identity is available to 
^ dependent processes without the possibility of alteration by a program operating in the vault; 
, S b) have access to the data content of the vault in which they are running - but to no other; 

c) are approved for running in the vault by the owner of the vault; and 
15 J ^ d) are signed to prevent tampering and 'Trojan horse" attacks. 

Programs operating in a vault can deposit information in the same vault or other vaults having 
secure access to each other's public keys. Normally, these vaults will be located on the same 
O vault server, but can be on different vault servers with access to a common Certificate Authority 

20 3 to provide the public key information. In the context of a vault repository, "deposit" can mean 
different things. In one implementation, deposit can refer to encrypting the data in the encryption 
key of the target vault and signing the data in the signature key of the depositing vault. Vault 
programs cannot directly access either encryption or signature keys. This is done through an API. 
Optionally, the "deposit" function can place information in a queue contained in the target vault. 

25 Another option provides a "return receipt" that ensures that the information was deposited and 
that a program in the target vault opened the data. All of these "deposit" functions provide a 
means to pass information among vaults in such a way that: 
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a) their origin process cannot be denied; 

b) their content cannot be viewed by those with the ability to inspect inter-process communication 
buffers; and 

c) delivery is guaranteed. 

5 

If an application does not choose to queue data to the target vault, it can elect to store the 
information in a file, database or use any other system services that can treat the data as an 
"opaque" item (e.g., serializing it for object persistence). This opaque information can be 
managed by standard system techniques for the purpose of backup and recovery. However, its 
10 content can only be decrypted by a program running in the context of the vault that owns it using 
the SecureDepositor application programming interfaces. 

,2 Using the IBM Vault Registry product, the preferred embodiment of the invention has been 
^ developed as illustrated schematically in Figure 2. 

is ru 

o As in the system of Figure 1, in the scheme illustrated in Figure 2 a document originator 200 can 
y deposit documents via its connection 202 with a document repository service 204, and as the 
\ y owner of the deposited documents, can assign levels of access to the documents to third parties 
y 206, such as business partners, who gain access to the documents in the document repository 
20 ^ service 204 via their own network connections 208. However, unlike the system described above, 

users of the document repository system are not obliged to trust the third party to maintain the 

integrity of documents filed in the repository. 

The document repository system 204 of the preferred embodiment comprises two components, an 
25 application server 210 and a vault controller 214. The application server (AS) is a program to 
administer the database repository 212, which may be on the same machine or may be remotely 
located on a closed network. The vault controller 214 includes a number of components, user 
vaults 216, 218 which are assigned on an individual basis to document originators 200 and 
business partners 206, an AS vault 220 assigned to the application server 210, and a vault 
30 supervisor program 222. 

B 
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A user vault 216 or 218 can be accessed only by the user (document originator 200 or business 
partner 206) to whom the vault has been assigned, upon proper authentication. The individual 
vaults do not have direct access to the document database 212, access is through the AS vault 
5 220 and the application server 210. 

The application server component 210 does not run on a trusted computing base, but can execute 
on any platform. The application server has a reciprocating component which runs in the AS 
vault 220 assigned to it in the vault server 214. The AS vault 220 can communicate with the 
10 application server 210, and through the application server, has access to the document database 
212. 

,~ Figure 3 is a flow diagram illustrating the process of document creation, according to the 
^ preferred embodiment of the invention. Using the IBM Vault Registry environment, a personal 
15 vault is notionally a secure extension of the vault owner's environment. Thus, the interaction 
y between the process steps in Figure 3 are shown between the vaults of the document originator 
j\ and the application server. 

O When creating a document in the data repository, the document is first sent from the desktop of 
20 the user who created or originated it, to the user's (document originator's) personal vault (block 
300), where the document is "signed" with the user vault's private signing key (block 302). 
An electronic signature of a data element is a guarantee, provided by the signatory, of the integrity 
of that data element. A signature may be computed by first computing the data element's digest. 
The digest is a relatively small structure (e.g. 128 bits for MD2 or MD5 digest) with specific 
25 properties to guarantee security. First, it is a one-way function, which means that given a digest, 
it is impossible to obtain the original document that produced it. In addition, given a digest, it is 
impossible (or computationally infeasible) to find a second pre-image, which would have the same 
digest. The digest is also collision-resistant. This means that two different pre-images are highly 
unlikely to produce the same digest. 

30 
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The data element's digest is then encrypted with the user vault application's private signing key 
(block 304). In the preferred embodiment, both symmetric and public-key asymmetric 
cryptography technology are utilized. 

5 With public key cryptography, an application has two keys, a public key and a private key, 
referred to as a key pair. The private key is held locally by the application, and is discussed in 
further detail below. The public key is made available to all users, usually through a directory 
service, such as X.500 distributed directory. Public key distribution is well known in the art, and 
is not discussed in further detail in the present specification. 

10 

When public key cryptography is used, a data element encrypted with the public key may only be 
^ decrypted with the corresponding private key. Similarly, a data element encrypted with the 
; : i private key may only be decrypted with the public key. 

15 I *jj In symmetric key technology, a single key is used for both encryption and decryption. In current 
^ practice, encryption/decryption and key generation are much faster in symmetric key technology 
h & than with public-key asymmetric technology . 

U Data is normally encrypted using a randomly generated symmetric key. Then, the symmetric key 
20 g is itself encrypted using the user's public encryption key, and is stored with the document so that 
it becomes part of the document. 

Continuing with Figure 3, the encrypted document and the electronic signature are forwarded to 
the application server's vault for filing in the document database (block 306). On receiving the 
25 encrypted document (block 308), the application running in the application server's vault notarizes 
the signature (block 310) by re-signing it with its own private signing key. 

The notarization of a signature, in an electronic context, means that a third party, which acts as a 
"notary", certifies the content of a signature. (All of the duties attending the legal office of 
30 notary, as conferred by a government authority, are not intended to be covered by the references 
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in this specification to "notary" and Notarization" ) In general, electronic notarization of a 
signature is done as an extra precaution, in order to prevent unauthorized modification of the 
signature at a later time. In the case of the present invention, notarization of the user's digital 
signature prevents the user from replacing or modifying the original document in the document 
5 repository. A check of the notarized signature associated with the document would reveal any 
inconsistencies. 

A notarized electronic signature contains two pieces of information, the originator's signature of 
the given data element and the notary's signature of the originator's signature. The notary's 
10 signature should be computed over the originator's signature and the current time stamp. 

O The application running in the application server's vault then signs the document it has received 
a ; (block 312). Because the data it receives from the document originator is encrypted, the 
; : ^ application server actually has no knowledge of the contents of the document. Therefore, 

15 i y according to the invention, this second signature is computed over the encrypted document, and 
y the originator's notarized signature. The application server's signature constitutes a 
y non-repudiation receipt, providing proof to the document originator (depositor) that the 
jj ^ repository service received the document. The creation of the document in the repository may 
p then not be denied later by the repository service. 

20 J : J 

The encrypted document, the document originator's notarized signature, and the non-repudiation 
receipt are all stored in the application server's repository or the application database (block 314). 
The non-repudiation receipt is sent to the vault of the document originator (block 316). The vault 
of the document originator checks the correctness of the non-repudiation receipt (block 318) by 
25 verifying the signature of the encrypted document. The document originator's vault also checks 
the currency of the time stamp in the notarized signature (block 320). The tolerance for the time 
stamp is application dependent. If either of these tests fail, an error message is returned to the AS 
vault (block 322) and logged in the system. If the receipt is correct and current, the application 
running in the user's vault returns the non-repudiation receipt to the originating user (block 324) 

// 
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to be cached locally for future reference, in the event proof is required that the document has been 
stored in the repository. 

It is possible that the document originator may sign and/or encrypt the document using his own 
proprietary technique, before submitting it to his vault for storage. However, the document 
repository is not sensitive to the content of the document being stored. Hence, an encrypted 
document will be re-signed and re-encrypted by the user's vault, as any other document would be 
handled. 

Figure 4 is a flow diagram illustrating the steps, according to the preferred embodiment of the 
invention, which must take place to permit a document to be retrieved by a requestor who has 
been authorized under the document originator's access control list (ACL). The establishment 
and maintenance of ACLs is discussed in detail below. 

As in Figure 3, the process steps shown in Figure 4 are the actions and interactions between the 
vaults of the document originator, application server and requestor, on the basis that the personal 
vaults of each are notional secure extensions of their respective work spaces, as provided in the 
IBM Vault Registry product or an environment with similar properties. 

Beginning with Figure 4A, the requestor makes a request to his vault application to retrieve a 
document from the application server repository (block 400), and the requestor's vault 
application, in turn, forwards the request for the document to the application server's vault (block 
402). 

The application server's vault application receives the access request (block 404) and retrieves the 
encrypted document, the originator's notarized signature and the signed ACL from the application 
database (block 406). 
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The application server's vault application sends the encrypted document, the notarized signature 
and the signed ACL to the vault of the document originator. The application server's vault also 
sends the requestor's identity vault to the originator's vault (block 408). 

5 The originator's vault checks that the requestor is authorized to retrieve the document (block 
412). Document access control is enabled, in the preferred embodiment, through access control 
lists used to restrict document access only to authorized entities. An access control list is 
associated with a document and must be checked when a requestor sends a request to retrieve a 
document. A requestor will only be given a copy of the document if it has access. The requestor 
10 can verify access in advance of making a request if capability lists are used. If the requestor is not 
authorized to access the document, an error message is returned to the originator and is logged in 
I; 3 the system (block 414). 

^Lf Continuing with Figure 4B, if the requestor is authorized to receive the document, the originator's 
15 fU vault application decrypts the document (block 416) and verifies the notarized signature (block 
418). Since the originator's original signature was computed over the unencrypted document 

:\ contents, only those users with access to the document contents are able to verify the signature. 

!U If the received signature does not correspond with the decrypted document, then it will be clear 

p that it is not the same version of the document as deposited, and the originator will return an error 
20 ^ message to the application server (block 420). 

If the signature is verified, the originator forwards the decrypted document and the notarized 
signature to the requestor's vault (block 422). 

25 On receipt of the decrypted document, the requestor's vault application attempts to verify the 
originator's notarized signature using the notary's public signature key (block 424). If the 
requestor is unable to verify it, an error message is returned to the originator and logged in the 
system (block 426). 

13 
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If the originator's notarized signature can be verified, the requestor's vault signs the notarized 
signature that it received with the document. This signature is computed over the notarized 
signature, as well as the current time stamp, and constitutes a delivery receipt (block 428) proving 
that the document was retrieved from the repository. The requestor's vault returns the decrypted 
5 document along with the non-repudiation receipt it has generated to the requestor's desktop 
(block 430). The requestor's vault also forwards the non-repudiation receipt to the application 
server's vault (block 432). The application server verifies the signature of the requestor vault on 
the receipt (block 434). If the signature does not correspond to the document, the receipt is 
marked as incorrect or as "missing receipt", and is cached, if the application includes this storage 
10 function (block 436). If the signature can be verified, the application server vault stores the 
receipt in the application database as proof that the requestor did retrieve the document (block 
u 438). 

m Immutability of Access Control for Document Retrieval 

is - ru 

u As discussed above, in a data repository, there is a requirement for document access control. This 
y ;; means that only those users authorized by the document's owner, are able to view the document, 
j ^ and that document access permissions may only be modified by the document's owner (i.e., the 
□ document originator) and those other users that have been authorized by the document's owner to 
20 ^ modify the given document's access control list. It is important to have assurance that even the 

repository administrator does not have the power to modify a document's access permissions 

without authorization from the document's owner. 

There are two different types of application requirements for establishing the immutability of 
25 document access control. Document access should be checked: 

1) when a user performs a search to find all documents that it is authorized to view; and 

2) when a user performs an actual retrieval of a document. 

14- 
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All applications must enforce access control on document retrieval (access type 2 above). For 
this type of access, the repository must guarantee that the access control of a document cannot 
possibly be modified by an unauthorized user, such as a business competitor. 

5 Some applications must also enforce access control on document search, particularly in situations 
where users have no means to determine which documents they have been granted access, except 
through the application server of the repository. A system that enforces immutability of access 
control on both document search and retrieval is the subject matter of our concurrently filed 
application titled "System for Electronic Repository of Data Enforcing Access Control on Data 
1 0 Search and Retrieval" (IBM Docket No. CA998-040). 

f 3 In some applications it is not essential for a user to be able to query the document repository for 
all documents that it is authorized to see. For example, this knowledge may be communicated 
^ off-line through business meetings, by e-mail or over the telephone. In such a case, the user 
15 fy already knows what documents it has access to, and therefore, the requestor's knowledge of its 
; ^ own document access cannot be affected by actions of the repository. 

f U In the preferred embodiment, each document has, associated with it, an access control list (ACL) 
fj which identifies the access authorization to the document for different users. In order to 
20 ^ guarantee immutability, each ACL is processed in the document originator's vault as illustrated in 
Figure 5. 

Each ACL is associated with a version number and a time stamp of its latest modification. When 
an ACL is updated (block 500), its version number is incremented (block 502) and the old time 

25 stamp associated with the ACL is replaced with the most current time stamp (block 504). A 
token, which is intended to guarantee the immutability of the ACL, is created from the current 
version number and time stamp now associated with the ACL. The token is signed by the 
document originator's vault (block 506). A data structure, such as a text string or binary 
structure, is produced by attaching the token to the ACL (block 508). The data structure is 

30 signed by the owner's vault to eliminate the possibility of it being substituted (block 510), and 
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forwarded, together with the ACL and token, to the AS vault for storage in the document 
repository (block 512). 

The ACL token is also forwarded to the vault of any user with authorized access to the document, 
5 for storage with the user's access application on its desktop (block 514) for fiiture ACL 

verification. The signed token is forwarded to the document originator's desktop for storage 
(block 516). Because it is holding a copy of the signed token, the document originator becomes 
the final arbiter of whether the document ACL is up-to-date or not. 

10 When a business partner wants to retrieve a document, the AS vault application sends the 
encrypted document to the originator's vault as described above (block 408 of Figure 4A). 
O Together with the document, the notarized signature, and the requester's ID, the AS vault will 
also send to the originator's vault the signed ACL. In order to verify the requestor's authorization 
^ (block 412 of Figure 4 A), the originator's vault then performs the following checks: 
1 5 J L verifies the correctness of the ACL signature; 

y 2. verifies that the version number and time stamp match what's stored inside the originator's 
y :: vault; and 

I y 3. checks in the verified ACL that the requester has access to the indicated document. 

20 1% With this technique, nobody can modify the ACL stored in the application database, without that 
change being detected by the originator's vault. 

As described above, each user which owns documents in the repository, keeps on its desktop the 
signed tokens of the correct version of each ACL. The ACL versions kept by the user's vault are 
25 verified by comparing the signed token stored on the user's desktop with the one stored in the 
user's vault. This comparison can be performed at different times; one good opportunity to verify 
the ACLs stored inside a user's vault is during logon, so that every time the user logs on, the 
user's ACLs are verified. 
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If ACL verification fails, the user's vault application can automatically stop honoring all requests 
to retrieve the document protected by the ACL. This state of document inaccessibility would 
persist until the user either creates a new ACL, or re-certifies the existing ACL. The process of 
re- certification of the existing ACL would include synchronizing the ACL token stored in the 
user's vault with the token stored on the user's desktop. 

In this embodiment, the actual ACL is stored in the application database. If a user wants to 
perform a search of documents he is authorized to, this search can only be performed by 
application server's vault application, the only program with direct access to the application 
database. However, any misinformation by a "malicious" application server about a user's access 
rights to a document can be checked. The application server does not have access to the signed 
J ACL token on the user's workstation or in the user's vault. The user will discover that its token 
z does not correspond with the information received from the application server the next time the 
2 user verifies the token (see Back- up and Recovery section below). This will be particularly 
* useful in a system designed in such a way that access to a document can only be granted, but not 
i later removed. 

^ Assignment of Ownership Privileges 

i Some environments require that a document originator be able to allow someone else to modify 
^ the access list of the given document. For example, if the owner is not available, another 
authorized user will have the ability to update the given document's access control. 

According to a preferred embodiment of the invention, this function can be implemented as 
illustrated in Figure 6. When ACL update is attempted, the updating user must be able to present 
the up-to-date signed token for the ACL (block 600). The signed token is sent to the updating 
user's own vault (block 602) which passes the signed token to the originator's vault (block 604). 
The originator's vault checks the validity of the token (block 606) by comparing it with the signed 
token it has in its own storage. The originator's vault also checks the authority of the updating 
user (block 610). 

n 
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If the token is invalid or the updating user does not have ownership privileges assigned in the 
ACL of this document, then the document originator's vault will detect this, refuse the update and 
return an error message to the user's vault (blocks 608). 

5 If the originator's vault can verify the signing user's access to the document, and that the version 
number, and time stamp of the ACL token are current (block 706), the ACL is updated (block 
710) and a new token is generated and signed (block 712), and stored in the originator's vault 
(block 714). The new signed token is sent to the updater's vault (block 716). The updater's vault 
returns the new token to the updater's desktop for storage (block 718). The new signed token 
10 may also, optionally, be forwarded to the application server's vault for storage in the repository 
(block 720). 

This procedure requires that only one person may perform an ACL update at any given time. For 
I j example, if a document originator John will be leaving for vacation, he can permit a co-worker, 

15 |4 Mary, to update the ACL of his document in his absence from the office by giving Mary his up-to- 
y date token for the ACL of the document. Mary then issues an ACL update by presenting the 
l =, token through her vault to John's vault. Mary receives the new signed token for the ACL which 
! y she returns to John on his return to the office. After installing the new token, John can issue his 
O own ACL update. 

20 % 

Data Backup and Recovery 

Occasionally it may be necessary for the administrator of the document repository to restore the 
document database from a previous backup. This may be necessary, for example, in case of a 
catastrophic database failure, such as a disk crash. The data that needs to be included in a backup 
25 are the documents themselves, the ACLs (whether stored in the application database or in the 
owner's vaults), the capability lists (for the systems the implement them, as described above), and 
the verification tokens of ACLs and capability lists. 
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Following a data restoration, updates made after the most recent backup may be lost. For the 
purposes of the present invention, this could include ACL and capability list updates. When this 
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occurs, the verification tokens stored on user desktops may not correspond with the tokens in the 
corresponding vaults, denying users proper access. 

Therefore, the following system has been implemented to provide a standard for data restoration 
5 in different situations. It is assumed that the backup was taken at TIME1, while the restoration 
occurred at a later TIME2 based on the state of the data at TIME1 that the requestor did retrieve 
the document. 

Where the a complete data restore of the document database, ACLs, capability lists and 
10 corresponding tokens stored in the vaults is performed, users authorized to access a document 
before TIME1, can also access it after TIME2. This means that if a user was authorized before 
p TIME1, but the authority was revoked after TIME1 but before TIME2, the user will have 
document access until the document originator performs a check of the ACL token. All users 
W should therefore do an ACL and capability list check following a complete data restoration. 
15 fy 

^ Where only the document database was restored, while the ACLs, the capability lists and the 
« vault- stored tokens are untouched, users may find that they are authorized to access a document 
fy which does not exist in the database because the document has been added after TIME1, but 
h subsequently lost in the database restore. Since all tokens are up-to-date, no other anomalies will 
20 O occur. 

Another case involves a system in which capability lists are not used, but the ACLs are stored in 
the application database. Where the document database and the ACL have been restored, while 
the vault-stored tokens have not, users will find that all documents whose ACL changed after 

25 TIME1 are inaccessible. This is because the ACL tokens in the application database do not match 
the tokens stored in the individual owners 1 vaults. To deal with this, all document originators will 
have to update the ACLs. One way to do this is for the administrator to send the old ACLs 
(which were in effect at TIME1) to document originators, and ask them to re-install the 
corresponding tokens in their vaults. This update would be manual, not automatic, and an 

30 owner's documents would be inaccessible until the owner has performed the update. 
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For situations where database inconsistencies must be avoided, the repository administrator may 
disable access to all documents after a restore, until the originator takes corrective action. This 
disabling of access may apply to all documents stored in the repository, or to only a subset of the 
5 documents, whose consistency is the most critical. In this case, the repository administrator must 
be relied upon to preserve consistency of the system. However, as described above, the 
administrator in any case does not have the power to grant or revoke users 1 access to a document. 

In order to minimize the ability of orchestrated attack on the system, it is important to separate 
10 the roles between the administrator of the vault server and the corresponding local vault storage, 
on the one hand, and the database administrator, on the other. 

,S The present invention can be used on any properly configured general purpose computer system, 
; ij such as the one shown in Figure 7. Such a computer system 700 includes a processing unit (CPU) 
15 ry 702 connected by a bus 701 to a random access memory 704, a high density storage device 708, a 
q keyboard 706, a display 710 and a mouse 712. In addition, there is a floppy disk drive 714 and a 
L CD-RDM drive 716 for entry of data and software, including software embodying the present 
f U invention, into the system on removable storage. An example of such a computer is an IBM 
□ Personal computer of the International Business Machines Corporation, such as an Aptiva 
20 ^ personal computer operating on Microsoft Windows 98 operating system of the Microsoft 
Corporation. Also in this example there is an internet browser capable at running Java such as 
Netscape Navigator, e.g., Netscape Communications Corporation, Internet Explorer, e.g., 
Microsoft Corporation. 

25 Preferred embodiments of the invention implemented by means of the IBM Vault Registry 
product have been described. However, it will be obvious to the person skilled in the art that the 
present invention could be implemented using other products that provide similar functions, such 
as secure vault-like environments located locally with each user's desktop. Modifications of this 
nature and others that would be obvious to the person skilled in the art are intended to be covered 

30 by the scope of the appended claims. 
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We claim: 

1 . A secure electronic data storage and retrieval system, comprising: 
5 a data repository; 

a repository manager for managing storage and retrieval of encrypted electronic data of a 
depositing computer into and out of the data repository; 

an agent program of the depositing computer, accessible to the repository manager 
whether the depositing computer is online or off-line, the agent program having means to decrypt, 
10 on authentication of a requesting computer, the encrypted electronic data of the depositing 
computer retrieved from the data repository on request of the requesting computer. 

:; ; 2. The system, according to claim 1, where the repository manager is further adapted to 
;*« digitally sign the encrypted electronic data prior to storage in the data repository, and to forward 
15 If y a copy of the signed encrypted data to the agent program of the depositing computer, and wherein 
q: the agent program of the depositing computer is adapted to verify against the signed encrypted 
data, the retrieved encrypted electronic data following decryption. 

p 3. The system, according to claim 2, wherein the agent program is further adapted to 
20 forward the decrypted electronic data to the requesting computer. 

4. The system, according to claim 3, wherein the agent program is a secure extension of the 
depositing computer and is adapted to manage communications between the depositing computer 
and the repository manager. 

25 
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5. The system, according to claim 4, further comprising a server having communication links 
with the repository manager, the depositing computer and the requesting computer, the server 
housing: 

the agent program of the depositing computer; 

a second environment comprising a secure extension of the repository manager, said 
second environment adapted to manage communications to and from other environments on the 
server with the repository manager; and 

at least a third environment comprising a secure extension of the requesting computer, 
said third environment adapted to manage communications to and from other environments on the 
server with the requesting computer. 

6. The system, according to claim 5, wherein the agent program of the depositing computer 
comprises means to encrypt and digitally sign electronic data received from the depositing 
computer, and to forward the encrypted electronic data and signature to the repository manager 
for storage in the data repository. 

7. A process for securely authenticating user access to electronic data stored in a data 
repository managed by a repository manager unrelated to a source of the electronic data, 
comprising: 

associating an access control list of user authorizations with the electronic data when 
stored in the data repository; 

effecting updates to the access control list from the source of the electronic data; 

storing the updated access control list with the electronic data stored in the data 
repository; storing evidence of the updated access control list at the source of the electronic 
data and at any user computer to have effected the update; and 

verifying accuracy of the updated access control list stored with the electronic data in the 
data repository with the evidence stored at the source before releasing the electronic data to a 
requesting authorized user. 
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8. The process, according to claim 7, wherein the step of effecting updates to the access 
control list comprises: 

identifying a revision level of the updated access control list; and 
associating a current time stamp with the updated access control list, 
and wherein the step of storing evidence comprises: 

creating a token of the revision level and current time stamp; and 

storing the token at every user with access to the electronic data in the data repository. 

9. The process of claim 8, further comprising: 

attaching the token to the updated access control list to form a data structure; 
digitally signing the data structure; and 

storing the signed data structure with the updated access control list in the data repository 
and at the source, and wherein the step of verifying accuracy of the updated access control list 
comprises: verifyingdecrypting the data structure signature at the source; and 

comparing the verified data structure with the updated access control list retrieved from 
the data repository. 

10. The process of claim 8, wherein the step of storing evidence further comprises: 
digitally signing the token; and 

storing the signed token at the source. 

1 1 . The process of claim 1 0, further comprising: 

forwarding the digitally signed token to a user authorized by the source to update the 
access control list; and 

on presentation of the digitally signed token by the user authorized to update the access 
control list, 

verifying the token signature at the source; and 

comparing the verified token with the revision level and current time stamp associated 
with the updated access control list retrieved from the data repository. 
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12. A process for secure storage and retrieval of electronic data in a remote data repository, 
comprising: 

digitally signing the electronic data at source; 

encrypting the electronic data at the source; 

forwarding the encrypted electronic data to the data repository; 

digitally signing the encrypted electronic data at the data repository to produce a deposit 

receipt; 

storing the encrypted electronic data and deposit receipt in the data repository; and 
returning a copy of the deposit receipt to the source. 



13. The process, according to claim 12, further comprising: 

receiving a request from a requesting user, for access to the stored electronic data; 
retrieving the encrypted electronic data and forwarding the retrieved data to the source; 
verifying the requesting user as authorized to access the electronic data; and 
if verified, decrypting the retrieved data. 



14. The process, according to claim 13, further comprising: 

associating an access control list of user authorizations with the electronic data when 
stored in the data repository; 

effecting updates to the access control list from the source of the electronic data; 

storing the updated access control list with the electronic data stored in the data 
repository; and 

storing evidence of the updated access control list at the source and at every user with 
authorized access to the electronic data in the data repository. 

15. The process, according to claim 14, wherein the step of verifying the requesting user as 
authorized comprises locating the requesting user on the updated access control list. 
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16. The process, according to claim 15, further comprising the step of verifying accuracy of 
the updated access control list stored with the electronic data in the data repository with the 
evidence stored at the source before releasing the electronic data to the requesting user. 

17- A computer program product on a computer usable medium for securely 

authenticating user access to electronic data stored in a data repository managed by a 
repository manager unrelated to a source of the electronic data, said computer program 
product comprising: 

computer software for associating an access control list of user authorizations with 
the electronic data when stored in the data repository; 

computer software for effecting updates to the access control list from the source 
of electronic data; 

computer software for storing the updated access control list with the electronic 
data stored in the data repository; 

computer software for storing the evidence of the updated access control list at the 
source of the electronic data and at any user computer to have effected the update; and 

computer software for verifying accuracy of the updated access control list stored 
with the electronic data in the data repository with the evidence stored at the source 
before releasing the electronic data to a requesting authorized user. 

18. The program product of claim 17, wherein the computer software for effecting 

updates to the access control list comprises: 

computer software for identifying a revision level of the updated access control 
list; and 

computer software for associating a current time stamp with the updated access 
control list, and wherein the step of storing evidence comprises: 

computer software for creating a token of the revision level and current time 
stamp; and 

2iT 
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computer software for storing the token at every user with access to the electronic 
data in the data repository. 

1 9. The program product of claim 1 8, further comprising: 

computer software for attaching the token to the updated access control list to 
form a data structure; 

computer software for digitally signing the data structure; and 

computer software for storing the signed data structure with the updated access 
control list in the data repository and at the source, and wherein the software for verifying 
accuracy of the updated access control list comprises: 

computer software for verifying decrypting the data structure signature at the 
source; and 

computer software for comparing the verified data structure with the updated 
access control list retrieved from the data repository. 

20. The program product of claim 18, wherein the computer software for storing 
evidence further comprises: 

computer software for digitally signing the token; and 
computer software for storing the signed token at the source. 

2 1 . The program product of claim 20, further comprising: 

computer software for forwarding the digitally signed token to a user authorized 
by the source to update the access control list, and 

on presentation of the digitally signed token by the user authorized to update the 
access control list, 

verifying the token signature at the source; and 

comparing the verified token with the revision level and current time stamp 
associated with the updated access control list retrieved from the data repository. 
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22. A computer program product on a computer for secure storage and retrieval of 
electronic data in a remote data repository, comprising: 

computer software for digitally signing the electronic data at source; 
computer software for encrypting the electronic data at the source; 
computer software for forwarding the encrypted electronic data to the data 
repository; 

computer software for storing the encrypted electronic data and deposit receipt in 
the data repository; and 

computer software for returning a copy of the deposit receipt to the source. 

23. The program product according to claim 22, further comprising: 

computer software for receiving a request from a requesting user, for access to the 
stored electronic data; 

computer software for retrieving the encrypted electronic data and forwarding the 
retrieved data the source; 

computer software for verifying the requesting user as authorized to access the 
electronic data; and 

computer software product for decrypting the retrieved data when verified. 

24. The computer program product according to claim 1 8, further comprising: 
computer software for associating an access control list of user authorizations with 

the electronic data when stored in the data repository; 

computer software for effecting updates to the access control list from the source 
of the electronic data; 

computer software for storing the updated access control list with the electronic 
data stored in the data repository; and 

computer software for storing evidence of the updated access control list at the 
source and at every user with authorized access to the electronic data in the data 
repository. 9 - 
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25. The computer program product according to claim 24, wherein the computer 
software for verifying the requesting user as authorized comprises computer software for 
locating the requesting user on the updated access control list. 

26. The computer program product according to claim 25, further comprising 
computer software for verifying accuracy of the updated access control list stored with the 
electronic data in the data repository with the evidence stored at the source before 
releasing the electronic data to the requesting user. 
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SYSTEM FOR ELECTRONIC REPOSITORY OF DATA 
ENFORCING ACCESS CONTROL ON DATA RETRIEVAL 

ABSTRACT OF THE DISCLOSURE 

When an electronic document is made available for review by other entities, it is often convenient 
5 to store the document in a repository or database managed by a third party. A system is provided 
in which the originator of the document is able to ensure the integrity and security of its document 
filed with a third party repository without having to trust the administrator of the repository. 
Both the document originator and the repository administrator have vault environments which are 
secure extensions of their respective work spaces. The vault of the document originator encrypts 
|| a document that it receives from the originator, prior to forwarding it on to the vault of the 
s "= repository. On receipt of the encrypted document, the repository's vault signs the encrypted 
l f: document itself before storing the document in the electronic repository and returns to the 
FU originator's vault proof of deposit of the encrypted document in the form of a copy of the signed 
q encrypted document. An access control list identifying access ownership privileges for the 
/g" document are also stored in the repository. Updates to the access control list are under the control 
f y of document originator, or another computer designated by the document originator. When a 
p request is made to view the document, it is made from the vault of the requesting party (a secure 
^ extension of the requesting party's work space) to the repository's vault. The repository's vault 
retrieves a copy of the encrypted document which it forwards, along with the requestor's identity 
2o to the originator's vault. The originator's vault verifies that the access control is valid, then 
verifies that the requestor is authorized to view the document from the access control list, then 
decrypts the document and forwards the decrypted document directly to the requestor's vault. 
The requestor provides proof of receipt of the decrypted document. 
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James E. MurrayiReg. 20,915); Kevin JordanfReg. 40,277}; Stephen C. Kaufnan(Reg. 25,551); 

Jay P. Sbrollini(Eeg, 36,266); David K> ShofijReg, 39,835); Robert M. TreppjReg. 25,933); 

Louis P, Herzberg(Reg, 41,500); Douglas W. Caieron(Reg. 31,595); Paul Otter stedt { Reg , 37,411); Louis J. 

PereellofReg. 33,206); Daniel P. MorrisjReg, 32,053), 

Send Correspondence to: Janes E. Hurray 

69 South Gate Drive, Poughkeepsie, N.T. 12601 
Telephone: (514) 462-4753 

I hereby declare that all statements lade herein of iy own knowledge are true and that all statements 
made on information and belief are believed to be true; and further that these stateieats were made with 
the knowledge that willful false stateients and the like so lade are punishable by fine or imprisonment, 
or both, under Section 1001 of Title 18 of the United States Code and that such willful false statements 
lay jeopardize the validity of the application or any patent issued thereon. 

Full Naue of sole or first inventor: EAHID BACBA 

Signature: 

' Residence: 9510 LOCUST HILL DR. , GREAT FALLS, VIRGINIA 22066 
Citizenship: U.S. 
Post Office Address: Saie as above 

Full Name of second joint inventor: ROBERT BRUCE CARROLL 

Signature: , „ Da ^ e: — 

Residence: 246 BYRAK LAKE ROAD, MOUNT KISCO, HEfT YORK 1 0549 

Citizenship: U.S. 

Post Office Address: Saie as above 

Full Name of sole or third inventor: LEV HIRLAS 

Signature: Date: — 

Residence: 98 KILLCROFT HAY, THORHHILL, ONTARIO, CANADA, L4J 5P4 
Citizenship: CANADIAN 
Post Office Address: Sane as above 
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Full Naae of fourth inventor: SONG WEI TCHAD 

Signature: Date: 

Residence: 168 HOLLYWOOD AVE. , TORONTO, ONTARIO, CANADA M2N 3K5 

Citizenship: CANADIAN 

Post Office Address: Sane as ahove, 
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DECLARATION AND POWER OF ATTORNEY FOR PATENT APPLICATION 
As a below Based inventor, we hereby declare that: 

My residence, post office address and citizenship are as stated below next to ay naie. I believe I am 
the original, first and sole inventor (if only one name is listed below) or an original, first and joint 
inventor (if plural nates are listed below) of the subject tatter which is claiied and for which a patent 
is sought on the invention entitled SYSTEM FOR ELECTRONIC REPOSITORY OF DATA BOOKING ACCESS CONTROL 
ON DATA RETRIEVAL 

the specification of which (check one) 
x is attached hereto 

was filed on as United States Application Nuiber 

or PCT International Application Nuiber 

and was amended on . 



I hereby state that I have reviewed and understand the contents of the above identified specification, 
including claiis, as amended by any aiendient referred to above. I acknowledge the duty to disclose to 
the D.S. Patent and Tradeiark Office all information known to ne to be material to patentability as 
defined in 37 CFR § 1,56. 

I hereby claii foreign priority benefits under 35 u.S.C. § 119(a)-(d) or 

§ 365(b) of any foreign application(s) for patent or inventor's certificate, or 5365(a) of any PCT 
International application which designated at least one country other than the United states, listed 
below and have also identified below any foreign application for patent or inventor's certificate, or PCT 
International application having a filing date before that of the application on which priority is 
claimed. 

Priority Claiaed 

2 , 256 ,934 CANADA 23/12/98 _X Yes No 

(Nuiber) (Country) (Day/Month/Year Filed) 

Yes No 

(Number) (Country) (Day/Month/Year Filed) 

I hereby claii the benefit under 35 U.S.C. § 119(e) of any United States provisional application! s) 
listed below. 



(Application Nuiber) (Filing Date) 



(Application Number) (Filing Data) 

I hereby claii the benefit under 35 U.S.C § 120 of any United States application! s } , or § 365(c) of any 
PCT International application designating the United States, listed below and, insofar as the subject 
tatter of each of the claiis of this application is not disclosed in the prior United States or ?CT 
International application in the na&ner provided by the first paragraph of 35 U.S.C. § 112, I acknowledge 
the duty to disclose material inforiation as defined in 37 CFR § 1.56(a) which occurred between the 
filing date of the prior application and the national or PCT international filing date of this 
application: 



(AppL Serial No.) (Filing Date) (Status) (patented, pending, abandoned) 



(Appl. Serial No.) 



(Filing Date) 



(Status) (patented, pending, abandoned! 
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ADDED PAGE TO C0H6IMED DECLARATION AND POWER OF ATTORNEY 
FOR SIGNATURE BY FIRST AND SUBSEQUENT INVENTORS 



POtfER OF ATTORNEY: As a nailed inventory I hereby appoint the following attorney ( s } and/or agent(s) to 
prosecute this application and transact all business in the Patent and Tradeiark office connected 
therewith: 

Manny „. Schec ter ( Reg , 3 1 F 722 ) ; Terry Ilardi(Reg. 29,936 }; Christopher R. HughesfReg 25,914); 

Edward A. Pennington ( Reg . 32,588); John S. Hoelj Reg. 2 6 , 2 79 ); Joseph C, Redmond, Jr. {Reg. 18,753); 

Jases E. Murray{ Reg. 20,915); Kevin K. JordanfReg. 40,277); Stephen C. Kaufsanf Reg, 29,551); 

Jay P, SbrolliniUeg. 3 6 r 2 6 6 ) ; David M. ShofUReg, 39,835 ); Robert H. Trepp( Reg. 2 5 , 933 ); 

Louis P, Herzberg(Reg. 41,500); Douglas W. CaiercnlReg. 31 , 596 ); Paul Otter stedt { Reg , 37,411); Louis J, 

Percello(Reg. 33,205); Daniel P, Morris! Reg. 32,053). 



Send Correspondence to: Jaies B. Murray 

59 South Gate Drive, Poughkeepsie, N.Y. 12501 
Telephone; {914) 452-4763 



I hereby declare that all stateients lade herein of sy own knowledge are true and that all statements 
made on information and belief are believed to be true; and further that these statements were made with 
the knowledge that willful false statements and the like so lade are punishable by fine or isprisonaent, 
or both, under Section 1001 of Title 18 of the United States Code and that such willful false statements 
lay jeopardize the validity of the application or any patent issued thereon. 



Full Naoe of sole or first inventor: HAHIB BACHA 



Signature: Sate; 

Residence: 9510 LOCUST HILL DR., GREAT FALLS, VIRGINIA 22066 

Citizenship: U.S. 

Post Office Address: Saie as above 



lull Naie of second joint inventor: ROBERT BRUCE CARROLL 



Signature: WdvUt J^Uc&L l^CfM*. 




Date: /Uf/ff 




Residence: 245 BYRAM LAKE ROAD, MOUNT KISCO, HEW YORK 10549 



Citizenship: U.S. 

Post' Office Address: Sane as above 



Full Naie of sole or third inventor; 



LEV MIRLAS 



Signature: 

Residence; §8 HILLCROFT MAY, THORNHILL, ONTARIO. CANADA, L4J 5P4 
Citizenship: CANADIAN 
Post Office Address: Sane as above 



Date; 
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Full {fane of fourth inventor: SUNG »EI TCHflQ 

Signature: Date: 

Residence: 168 BOLLYWOOD AVI. , TORONTO, ONTARIO, CANADA M2H 3K5 

Citizenship: CANADIAN 

Post Office Address: Sane as above. 
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DECLARATION AND POWER 0? ATTORNEY FOR PATENT APPLICATION 
As a below Based inventor, we hereby declare that; 

My residence, post office address and citizenship are as stated below next to ty name. I believe I an 
the original, first and sole inventor (if only one name is listed below) or an original, first and joint 
inventor (if plural names are listed below! of the subject Matter which is claimed and for which a patent 
is sought on the invention entitled SYSTEM FOR ELECTRONIC REPOSIT ORY OF DATA ENFORCING ACCESS CONTROL 
ON DATA RETRIEVAL 



the specification of which 
X is attached hereto 
was filed on 



[check one) 



as United States Application Number 



or PCT international Application Nuiber 

and was amended on . 

I hereby state that I have reviewed and understand the contents of the above identified specification, 
including claims, as amended by any asendient referred to above. I acknowledge the duty to disclose to 
the U.S. Patent and Trademark Office all information known to me to be laterial to patentability as 
defined in 37 C!R § 1.55, 

I hereby claim foreign priority benefits under 35 D.S.C. § 119(a)-(d) or 

S 365 (b) of any foreign applications) for patent or inventor's certificate, or §365 (a) of any PCT 
International application which designated at least one country other than the United States, listed 
below and have also identified below any foreign application for patent or inventor's certificate, or PCT 
International application having a filing date before that of the application on which priority is 

claimed. , tL _ , _ 

Priority Claned 



2.256,934 



(Number) 



(Number) 



CANADA 



(Country) 



(Country) 



23/12/98 



I Yes 



No 



(Day/Month/Year Filed) 



(Day/Month/Year Filed) 



Yes _ No 



I hereby claim the benefit under 35 U.S.C. I 119(e) of any United States provisional application^] 
listed below. 



(Application Number) 



(Filing Date) 



(Filing Date) 



(Application Number) 

I hereby claim the benefit under 35 U.S.C I 120 of any United States application? s) , or § 365(c) of any 
PCT international application designating the United States, listed below and, insofar as the sublet 
matter of each of the claims of this application is not disclosed in the prior United States or PCT 
international application in the manner provided by the first paragraph of 35 U.S.C. § 112, I acknowledge 
the duty to disclose material information as defined in 37 CFR § 1.55(a) which occurred between the 
filing date of the prior application and the national or PCT international filing date of this 
application: 



(AppL Serial No.) 



(Filing Date) 



(status) (patented, pending, abandoned) 



(Appl, Serial No.) 



(Filing Date) 



(Status) (patented, pending, abandoned) 
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ADDED PAGE TO COMBINED DECLARATION AND POSER OF ATTORNEY 
FOR SIGNATURE BY FIRST AUD SOBSIQDEIT IPEHTORS 

POWE R OF ATTORNEY: As a naied inventor, I hereby appoint the following attorney ( s) and/or agent(s) to 
prosecute this application and transact all business in the Patent and Tradeiark Office connected 
therewith; 

Manny th SchecterUeg, 31, 72 2 ) ; Terry Ilardi(Reg, 29 , 936 ); Christopher R. Hughasf Reg 25,914); 

Edward A, Pennington( Reg. 32,583}; John S. Roel { Reg. 26,279); Joseph C, Redmond, Jr,(Reg. 18,753); 

James B. Murray! Reg. 20,915); Kevin K. Jordan(Reg. 40,277}; Stephen C. KaufianiReg. 29,551); 

Jay P. SbrollinijReg. 36,266}; David M. Shof i { Reg, 39,835); Robert M> TrepplReg. 25,933); 

Louis P, HerzbergjReg, 41,500); Douglas W, Casieronf Reg. 31,596); Paul Otterstedtf Reg. 37,411); Louis J, 

?ercello(Reg. 33,206 ); Daniel P. Morrisf Reg, 32,053 ). 



Send Correspondence to; Jaies I. Murray 

59 South Gate Drive, Poughkeepsie, H,T. 126G1 
Telephone; < 3 1 4 } 462-4753 



I hereby declare that all statements made herein of ly own knowledge are true and that all statements 
lade on information and belief are believed to be true; and further that these statements were lade with 
the knowledge that willful false stateients and the like so made are punishable by fine or iiprisonient , 
or both, under Section 1001 of Title 18 of the United States Code and that such willful false statements 
lay jeopardise the validity of the application or any patent issued thereon, 



Full Hame of sole or first inventor: SAHIB BACBA 



Signature: Date; 

Residence: 9510 LOCUST HILL DR., GREAT FALLS, VIRGINIA 22066 

Citizenship: U.S. 

Post Office Address; Sane as above 



Full Name of second joint inventor: ROBERT BRUCE CARROLL 



Signature: Date: 

Residence: 246 BYRAK LAKE ROAD, HOUNT KISCO, NE8 YORK 10549 

Citizenship: U.S. 

Post Office Address: Saie as above 



Date: ^^/ l 3 9 S 



Full Manse of sole or third inventor: LEV MIRLAS 



Signature: 




Residence: 98 MILLCROFT MAY f THORNHILL, ONTARIO, CANADA, L4J 6P4 
Citizenship; CANADIAN 
Post Office Address: Same as above 
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Full Nase of fourth inventor: SONG (II TCHAD 



Signature: 






Residence: 15S HOLLY 
Citizenship: CANADIAN 
Post Office Address: Saie as above 



5, ONTARIO, CANADA M2N 3K5 



Date 
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